key management interoperability protocol specification ...docs.oasis-open.org › kmip › spec ›...

kmip-spec-v1.3-os 27 December 2016 Standards Track Work Product Copyright © OASIS Open 2016. All Rights Reserved. Page 1 of 221

Key Management Interoperability Protocol Specification Version 1.3

OASIS Standard

27 December 2016

Specification URIs This version:

http://docs.oasis-open.org/kmip/spec/v1.3/os/kmip-spec-v1.3-os.docx (Authoritative) http://docs.oasis-open.org/kmip/spec/v1.3/os/kmip-spec-v1.3-os.html http://docs.oasis-open.org/kmip/spec/v1.3/os/kmip-spec-v1.3-os.pdf

Previous version: http://docs.oasis-open.org/kmip/spec/v1.3/csprd01/kmip-spec-v1.3-csprd01.docx (Authoritative) http://docs.oasis-open.org/kmip/spec/v1.3/csprd01/kmip-spec-v1.3-csprd01.html http://docs.oasis-open.org/kmip/spec/v1.3/csprd01/kmip-spec-v1.3-csprd01.pdf

Latest version: http://docs.oasis-open.org/kmip/spec/v1.3/kmip-spec-v1.3.docx (Authoritative) http://docs.oasis-open.org/kmip/spec/v1.3/kmip-spec-v1.3.html http://docs.oasis-open.org/kmip/spec/v1.3/kmip-spec-v1.3.pdf

Technical Committee:

OASIS Key Management Interoperability Protocol (KMIP) TC

Chairs: Tony Cox ([email protected]), Cryptsoft Pty Ltd. Saikat Saha ([email protected]), Oracle

Editors: Kiran Thota ([email protected]), VMware, Inc. Tony Cox ([email protected]), Cryptsoft Pty Ltd.

Related work:

This specification replaces or supersedes:

Key Management Interoperability Protocol Specification Version 1.0. Edited by Robert Haas and Indra Fitzgerald. 01 October 2010. OASIS Standard. http://docs.oasis-open.org/kmip/spec/v1.0/os/kmip-spec-1.0-os.html.

Key Management Interoperability Protocol Specification Version 1.1. Edited by Robert Haas and Indra Fitzgerald. 24 January 2013. OASIS Standard. http://docs.oasis-open.org/kmip/spec/v1.1/os/kmip-spec-v1.1-os.html.

Key Management Interoperability Protocol Specification Version 1.2. Edited by Kiran Thota and Kelley Burgin. 19 May 2015. OASIS Standard. http://docs.oasis-open.org/kmip/spec/v1.2/os/kmip-spec-v1.2-os.html.

This specification is related to:

Key Management Interoperability Protocol Profiles Version 1.3. Edited by Tim Hudson and Robert Lockhart. Latest version: http://docs.oasis-open.org/kmip/profiles/v1.3/kmip-profiles-v1.3.html.

http://docs.oasis-open.org/kmip/spec/v1.3/os/kmip-spec-v1.3-os.docxhttp://docs.oasis-open.org/kmip/spec/v1.3/os/kmip-spec-v1.3-os.htmlhttp://docs.oasis-open.org/kmip/spec/v1.3/os/kmip-spec-v1.3-os.pdfhttp://docs.oasis-open.org/kmip/spec/v1.3/csprd01/kmip-spec-v1.3-csprd01.docxhttp://docs.oasis-open.org/kmip/spec/v1.3/csprd01/kmip-spec-v1.3-csprd01.htmlhttp://docs.oasis-open.org/kmip/spec/v1.3/csprd01/kmip-spec-v1.3-csprd01.pdfhttp://docs.oasis-open.org/kmip/spec/v1.3/kmip-spec-v1.3.docxhttp://docs.oasis-open.org/kmip/spec/v1.3/kmip-spec-v1.3.htmlhttp://docs.oasis-open.org/kmip/spec/v1.3/kmip-spec-v1.3.pdfhttps://www.oasis-open.org/committees/kmip/mailto:[email protected]://www.cryptsoft.com/mailto:[email protected]://www.oracle.com/mailto:[email protected]://www.vmware.com/mailto:[email protected]://www.cryptsoft.com/http://docs.oasis-open.org/kmip/spec/v1.0/os/kmip-spec-1.0-os.htmlhttp://docs.oasis-open.org/kmip/spec/v1.0/os/kmip-spec-1.0-os.htmlhttp://docs.oasis-open.org/kmip/spec/v1.1/os/kmip-spec-v1.1-os.htmlhttp://docs.oasis-open.org/kmip/spec/v1.1/os/kmip-spec-v1.1-os.htmlhttp://docs.oasis-open.org/kmip/spec/v1.2/os/kmip-spec-v1.2-os.htmlhttp://docs.oasis-open.org/kmip/spec/v1.2/os/kmip-spec-v1.2-os.htmlhttp://docs.oasis-open.org/kmip/profiles/v1.3/kmip-profiles-v1.3.htmlhttp://docs.oasis-open.org/kmip/profiles/v1.3/kmip-profiles-v1.3.htmlhttps://www.oasis-open.org/


Key Management Interoperability Protocol Test Cases Version 1.3. Edited by Tim Hudson and Mark Joseph. Latest version: http://docs.oasis-open.org/kmip/testcases/v1.3/kmip-testcases-v1.3.html.

Key Management Interoperability Protocol Usage Guide Version 1.3. Edited by Judy Furlong.

Latest version: http://docs.oasis-open.org/kmip/ug/v1.3/kmip-ug-v1.3.html.

Abstract: This document is intended for developers and architects who wish to design systems and applications that interoperate using the Key Management Interoperability Protocol Specification.

Status: This document was last revised or approved by the Members of OASIS on the above date. The level of approval is also listed above. Check the “Latest version” location noted above for possible later revisions of this document. Any other numbered Versions and other technical work produced by the Technical Committee (TC) are listed at https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip#technical.

TC members should send comments on this specification to the TC’s email list. Others should send comments to the TC’s public comment list, after subscribing to it by following the instructions at the “Send A Comment” button on the TC’s web page at https://www.oasis-open.org/committees/kmip/.

For information on whether any patents have been disclosed that may be essential to implementing this specification, and any offers of patent licensing terms, please refer to the Intellectual Property Rights section of the TC’s web page (https://www.oasis-open.org/committees/kmip/ipr.php).

Note that any machine-readable content (aka Computer Language Definitions) declared Normative for this Work Product is provided in separate plain text files. In the event of a discrepancy between any such plain text file and display content in the Work Product's prose narrative document(s), the content in the separate plain text file prevails.

Citation format:

When referencing this specification the following citation format should be used:

[kmip-spec-v1.3]

Key Management Interoperability Protocol Specification Version 1.3. Edited by Kiran Thota and Tony Cox. 27 December 2016. OASIS Standard. http://docs.oasis-open.org/kmip/spec/v1.3/os/kmip-spec-v1.3-os.html. Latest version: http://docs.oasis-open.org/kmip/spec/v1.3/kmip-spec-v1.3.html.

http://docs.oasis-open.org/kmip/testcases/v1.3/kmip-testcases-v1.3.htmlhttp://docs.oasis-open.org/kmip/testcases/v1.3/kmip-testcases-v1.3.htmlhttp://docs.oasis-open.org/kmip/ug/v1.3/kmip-ug-v1.3.htmlhttps://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip#technicalhttps://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip#technicalhttps://www.oasis-open.org/committees/comments/index.php?wg_abbrev=kmiphttps://www.oasis-open.org/committees/kmip/https://www.oasis-open.org/committees/kmip/https://www.oasis-open.org/committees/kmip/ipr.phphttps://www.oasis-open.org/committees/kmip/ipr.phphttp://docs.oasis-open.org/kmip/spec/v1.3/os/kmip-spec-v1.3-os.htmlhttp://docs.oasis-open.org/kmip/spec/v1.3/os/kmip-spec-v1.3-os.htmlhttp://docs.oasis-open.org/kmip/spec/v1.3/kmip-spec-v1.3.htmlhttp://docs.oasis-open.org/kmip/spec/v1.3/kmip-spec-v1.3.html


Notices

Copyright © OASIS Open 2016. All Rights Reserved.

All capitalized terms in the following text have the meanings assigned to them in the OASIS Intellectual Property Rights Policy (the "OASIS IPR Policy"). The full Policy may be found at the OASIS website.

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published, and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this section are included on all such copies and derivative works. However, this document itself may not be modified in any way, including by removing the copyright notice or references to OASIS, except as needed for the purpose of developing any document or deliverable produced by an OASIS Technical Committee (in which case the rules applicable to copyrights, as set forth in the OASIS IPR Policy, must be followed) or as required to translate it into languages other than English.

The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.

This document and the information contained herein is provided on an "AS IS" basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

OASIS requests that any OASIS Party or any other party that believes it has patent claims that would necessarily be infringed by implementations of this OASIS Committee Specification or OASIS Standard, to notify OASIS TC Administrator and provide an indication of its willingness to grant patent licenses to such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that produced this specification.

OASIS invites any party to contact the OASIS TC Administrator if it is aware of a claim of ownership of any patent claims that would necessarily be infringed by implementations of this specification by a patent holder that is not willing to provide a license to such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that produced this specification. OASIS may include such claims on its website, but disclaims any obligation to do so.

OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on OASIS' procedures with respect to rights in any document or deliverable produced by an OASIS Technical Committee can be found on the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this OASIS Committee Specification or OASIS Standard, can be obtained from the OASIS TC Administrator. OASIS makes no representation that any information or list of intellectual property rights will at any time be complete, or that any claims in such list are, in fact, Essential Claims.

The name "OASIS" is a trademark of OASIS, the owner and developer of this specification, and should be used only to refer to the organization and its official outputs. OASIS welcomes reference to, and implementation and use of, specifications, while reserving the right to enforce its marks against misleading uses. Please see https://www.oasis-open.org/policies-guidelines/trademark for above guidance.

https://www.oasis-open.org/policies-guidelines/iprhttps://www.oasis-open.org/https://www.oasis-open.org/policies-guidelines/trademark


Table of Contents

1 Introduction ......................................................................................................................................... 11

Terminology ...................................................................................................................................... 11 1.1

Normative References ...................................................................................................................... 14 1.2

Non-Normative References .............................................................................................................. 17 1.3

2 Objects ............................................................................................................................................... 18

Base Objects .................................................................................................................................... 18 2.1

2.1.1 Attribute ..................................................................................................................................... 18

2.1.2 Credential .................................................................................................................................. 19

2.1.3 Key Block ................................................................................................................................... 20

2.1.4 Key Value .................................................................................................................................. 21

2.1.5 Key Wrapping Data ................................................................................................................... 22

2.1.6 Key Wrapping Specification ...................................................................................................... 24

2.1.7 Transparent Key Structures ...................................................................................................... 24 2.1.7.1 Transparent Symmetric Key .............................................................................................................. 25 2.1.7.2 Transparent DSA Private Key ............................................................................................................ 26 2.1.7.3 Transparent DSA Public Key ............................................................................................................. 26 2.1.7.4 Transparent RSA Private Key ............................................................................................................ 26 2.1.7.5 Transparent RSA Public Key ............................................................................................................. 27 2.1.7.6 Transparent DH Private Key .............................................................................................................. 27 2.1.7.7 Transparent DH Public Key ............................................................................................................... 27 2.1.7.8 Transparent ECDSA Private Key ....................................................................................................... 28 2.1.7.9 Transparent ECDSA Public Key ........................................................................................................ 28 2.1.7.10 Transparent ECDH Private Key ....................................................................................................... 28 2.1.7.11 Transparent ECDH Public Key......................................................................................................... 29 2.1.7.12 Transparent ECMQV Private Key .................................................................................................... 29 2.1.7.13 Transparent ECMQV Public Key ...................................................................................................... 29 2.1.7.14 Transparent EC Private Key ............................................................................................................ 30 2.1.7.15 Transparent EC Public Key .............................................................................................................. 30

2.1.8 Template-Attribute Structures ................................................................................................... 30

2.1.9 Extension Information ................................................................................................................ 31

2.1.10 Data ......................................................................................................................................... 31

2.1.11 Data Length ............................................................................................................................. 31

2.1.12 Signature Data ........................................................................................................................ 31

2.1.13 MAC Data ................................................................................................................................ 32

2.1.14 Nonce ...................................................................................................................................... 32

2.1.15 Correlation Value ..................................................................................................................... 32

2.1.16 Init Indicator ............................................................................................................................. 32

2.1.17 Final Indicator .......................................................................................................................... 33

2.1.18 RNG Parameters ..................................................................................................................... 33

2.1.19 Profile Information ................................................................................................................... 33

2.1.20 Validation Information .............................................................................................................. 34

2.1.21 Capability Information .............................................................................................................. 34

Managed Objects .............................................................................................................................. 35 2.2

2.2.1 Certificate .................................................................................................................................. 35


2.2.2 Symmetric Key .......................................................................................................................... 35

2.2.3 Public Key .................................................................................................................................. 36

2.2.4 Private Key ................................................................................................................................ 36

2.2.5 Split Key .................................................................................................................................... 36

2.2.6 Template .................................................................................................................................... 37

2.2.7 Secret Data................................................................................................................................ 38

2.2.8 Opaque Object .......................................................................................................................... 38

2.2.9 PGP Key .................................................................................................................................... 38

3 Attributes ............................................................................................................................................ 39

Unique Identifier ................................................................................................................................ 40 3.1

Name ................................................................................................................................................ 41 3.2

Object Type....................................................................................................................................... 41 3.3

Cryptographic Algorithm ................................................................................................................... 42 3.4

Cryptographic Length ....................................................................................................................... 42 3.5

Cryptographic Parameters ................................................................................................................ 43 3.6

Cryptographic Domain Parameters .................................................................................................. 45 3.7

Certificate Type ................................................................................................................................. 46 3.8

Certificate Length .............................................................................................................................. 46 3.9

X.509 Certificate Identifier .............................................................................................................. 47 3.10

X.509 Certificate Subject ................................................................................................................ 47 3.11

X.509 Certificate Issuer .................................................................................................................. 48 3.12

Certificate Identifier ......................................................................................................................... 49 3.13

Certificate Subject ........................................................................................................................... 49 3.14

Certificate Issuer ............................................................................................................................. 50 3.15

Digital Signature Algorithm ............................................................................................................. 51 3.16

Digest .............................................................................................................................................. 51 3.17

Operation Policy Name ................................................................................................................... 52 3.18

3.18.1 Operations outside of operation policy control ........................................................................ 53

3.18.2 Default Operation Policy .......................................................................................................... 53 3.18.2.1 Default Operation Policy for Secret Objects ..................................................................................... 53 3.18.2.2 Default Operation Policy for Certificates and Public Key Objects .................................................... 54 3.18.2.3 Default Operation Policy for Template Objects ................................................................................ 55

Cryptographic Usage Mask ............................................................................................................ 56 3.19

Lease Time ..................................................................................................................................... 57 3.20

Usage Limits ................................................................................................................................... 58 3.21

State ................................................................................................................................................ 59 3.22

Initial Date ....................................................................................................................................... 61 3.23

Activation Date ................................................................................................................................ 62 3.24

Process Start Date .......................................................................................................................... 62 3.25

Protect Stop Date ........................................................................................................................... 63 3.26

Deactivation Date ........................................................................................................................... 64 3.27

Destroy Date ................................................................................................................................... 64 3.28

Compromise Occurrence Date ....................................................................................................... 65 3.29

Compromise Date ........................................................................................................................... 65 3.30

Revocation Reason ........................................................................................................................ 66 3.31

Archive Date ................................................................................................................................... 66 3.32


Object Group .................................................................................................................................. 67 3.33

Fresh ............................................................................................................................................... 67 3.34

Link ................................................................................................................................................. 68 3.35

Application Specific Information ..................................................................................................... 69 3.36

Contact Information ........................................................................................................................ 70 3.37

Last Change Date ........................................................................................................................... 71 3.38

Custom Attribute ............................................................................................................................. 71 3.39

Alternative Name ............................................................................................................................ 72 3.40

Key Value Present .......................................................................................................................... 72 3.41

Key Value Location ......................................................................................................................... 73 3.42

Original Creation Date .................................................................................................................... 74 3.43

Random Number Generator ........................................................................................................... 74 3.44

4 Client-to-Server Operations ................................................................................................................ 76

Create ............................................................................................................................................... 77 4.1

Create Key Pair ................................................................................................................................ 78 4.2

Register ............................................................................................................................................. 81 4.3

Re-key ............................................................................................................................................... 83 4.4

Re-key Key Pair ................................................................................................................................ 85 4.5

Derive Key ........................................................................................................................................ 89 4.6

Certify ................................................................................................................................................ 93 4.7

Re-certify........................................................................................................................................... 94 4.8

Locate ............................................................................................................................................... 97 4.9

Check .............................................................................................................................................. 99 4.10

Get ................................................................................................................................................ 100 4.11

Get Attributes ................................................................................................................................ 101 4.12

Get Attribute List ........................................................................................................................... 102 4.13

Add Attribute ................................................................................................................................. 102 4.14

Modify Attribute ............................................................................................................................. 103 4.15

Delete Attribute ............................................................................................................................. 103 4.16

Obtain Lease ................................................................................................................................ 104 4.17

Get Usage Allocation .................................................................................................................... 105 4.18

Activate ......................................................................................................................................... 105 4.19

Revoke .......................................................................................................................................... 106 4.20

Destroy .......................................................................................................................................... 106 4.21

Archive .......................................................................................................................................... 107 4.22

Recover......................................................................................................................................... 107 4.23

Validate ......................................................................................................................................... 108 4.24

Query ............................................................................................................................................ 108 4.25

Discover Versions ......................................................................................................................... 111 4.26

Cancel ........................................................................................................................................... 111 4.27

Poll ................................................................................................................................................ 112 4.28

Encrypt .......................................................................................................................................... 112 4.29

Decrypt .......................................................................................................................................... 114 4.30

Sign ............................................................................................................................................... 115 4.31

Signature Verify ............................................................................................................................ 117 4.32


MAC .............................................................................................................................................. 118 4.33

MAC Verify .................................................................................................................................... 120 4.34

RNG Retrieve ............................................................................................................................... 121 4.35

RNG Seed..................................................................................................................................... 121 4.36

Hash .............................................................................................................................................. 122 4.37

Create Split Key ............................................................................................................................ 123 4.38

Join Split Key ................................................................................................................................ 124 4.39

5 Server-to-Client Operations .............................................................................................................. 126

Notify ............................................................................................................................................... 126 5.1

Put ................................................................................................................................................... 126 5.2

Query .............................................................................................................................................. 127 5.3

6 Message Contents............................................................................................................................ 131

Protocol Version ............................................................................................................................. 131 6.1

Operation ........................................................................................................................................ 131 6.2

Maximum Response Size ............................................................................................................... 131 6.3

Unique Batch Item ID ...................................................................................................................... 131 6.4

Time Stamp..................................................................................................................................... 132 6.5

Authentication ................................................................................................................................. 132 6.6

Asynchronous Indicator .................................................................................................................. 132 6.7

Asynchronous Correlation Value .................................................................................................... 132 6.8

Result Status .................................................................................................................................. 133 6.9

Result Reason .............................................................................................................................. 133 6.10

Result Message ............................................................................................................................ 134 6.11

Batch Order Option ....................................................................................................................... 134 6.12

Batch Error Continuation Option ................................................................................................... 134 6.13

Batch Count .................................................................................................................................. 135 6.14

Batch Item ..................................................................................................................................... 135 6.15

Message Extension ...................................................................................................................... 135 6.16

Attestation Capable Indicator........................................................................................................ 135 6.17

7 Message Format ............................................................................................................................... 137

Message Structure .......................................................................................................................... 137 7.1

Operations ...................................................................................................................................... 137 7.2

8 Authentication ................................................................................................................................... 140

9 Message Encoding ........................................................................................................................... 141

TTLV Encoding ............................................................................................................................... 141 9.1

9.1.1 TTLV Encoding Fields ............................................................................................................. 141 9.1.1.1 Item Tag ........................................................................................................................................... 141 9.1.1.2 Item Type ......................................................................................................................................... 141 9.1.1.3 Item Length ...................................................................................................................................... 142 9.1.1.4 Item Value ........................................................................................................................................ 142

9.1.2 Examples ................................................................................................................................. 143

9.1.3 Defined Values ........................................................................................................................ 144 9.1.3.1 Tags ................................................................................................................................................. 144 9.1.3.2 Enumerations ................................................................................................................................... 151

9.1.3.2.1 Credential Type Enumeration................................................................................................... 151 9.1.3.2.2 Key Compression Type Enumeration ....................................................................................... 152


9.1.3.2.3 Key Format Type Enumeration ................................................................................................ 152 9.1.3.2.4 Wrapping Method Enumeration ................................................................................................ 153 9.1.3.2.5 Recommended Curve Enumeration ......................................................................................... 153 9.1.3.2.6 Certificate Type Enumeration ................................................................................................... 155 9.1.3.2.7 Digital Signature Algorithm Enumeration ................................................................................. 156 9.1.3.2.8 Split Key Method Enumeration ................................................................................................. 156 9.1.3.2.9 Secret Data Type Enumeration ................................................................................................ 157 9.1.3.2.10 Opaque Data Type Enumeration ............................................................................................ 157 9.1.3.2.11 Name Type Enumeration ....................................................................................................... 157 9.1.3.2.12 Object Type Enumeration....................................................................................................... 157 9.1.3.2.13 Cryptographic Algorithm Enumeration ................................................................................... 158 9.1.3.2.14 Block Cipher Mode Enumeration ............................................................................................ 159 9.1.3.2.15 Padding Method Enumeration ................................................................................................ 159 9.1.3.2.16 Hashing Algorithm Enumeration ............................................................................................. 160 9.1.3.2.17 Key Role Type Enumeration .................................................................................................. 161 9.1.3.2.18 State Enumeration ................................................................................................................. 161 9.1.3.2.19 Revocation Reason Code Enumeration ................................................................................. 162 9.1.3.2.20 Link Type Enumeration .......................................................................................................... 162 9.1.3.2.21 Derivation Method Enumeration ............................................................................................. 163 9.1.3.2.22 Certificate Request Type Enumeration .................................................................................. 163 9.1.3.2.23 Validity Indicator Enumeration ................................................................................................ 163 9.1.3.2.24 Query Function Enumeration ................................................................................................. 164 9.1.3.2.25 Cancellation Result Enumeration ........................................................................................... 164 9.1.3.2.26 Put Function Enumeration ...................................................................................................... 164 9.1.3.2.27 Operation Enumeration .......................................................................................................... 165 9.1.3.2.28 Result Status Enumeration ..................................................................................................... 166 9.1.3.2.29 Result Reason Enumeration .................................................................................................. 167 9.1.3.2.30 Batch Error Continuation Option Enumeration ....................................................................... 167 9.1.3.2.31 Usage Limits Unit Enumeration .............................................................................................. 168 9.1.3.2.32 Encoding Option Enumeration ............................................................................................... 168 9.1.3.2.33 Object Group Member Enumeration ...................................................................................... 168 9.1.3.2.34 Alternative Name Type Enumeration ..................................................................................... 168 9.1.3.2.35 Key Value Location Type Enumeration .................................................................................. 169 9.1.3.2.36 Attestation Type Enumeration ................................................................................................ 169 9.1.3.2.37 RNG Algorithm Enumeration .................................................................................................. 169 9.1.3.2.38 DRBG Algorithm Enumeration ............................................................................................... 170 9.1.3.2.39 FIPS186 Variation Enumeration ............................................................................................. 170 9.1.3.2.40 Validation Authority Type Enumeration .................................................................................. 170 9.1.3.2.41 Validation Type Enumeration ................................................................................................. 170 9.1.3.2.42 Profile Name Enumeration ..................................................................................................... 171 9.1.3.2.43 Unwrap Mode Enumeration.................................................................................................... 174 9.1.3.2.44 Destroy Action Enumeration................................................................................................... 174 9.1.3.2.45 Shredding Algorithm Enumeration ......................................................................................... 175 9.1.3.2.46 RNG Mode Enumeration ........................................................................................................ 175 9.1.3.2.47 Client Registration Method Enumeration ................................................................................ 175

9.1.3.3 Bit Masks ......................................................................................................................................... 176 9.1.3.3.1 Cryptographic Usage Mask ...................................................................................................... 176 9.1.3.3.2 Storage Status Mask ................................................................................................................ 176

10 Transport .......................................................................................................................................... 177


11 Error Handling .................................................................................................................................. 178

General ......................................................................................................................................... 178 11.1

Create ........................................................................................................................................... 179 11.2

Create Key Pair ............................................................................................................................ 179 11.3

Register......................................................................................................................................... 180 11.4

Re-key ........................................................................................................................................... 181 11.5

Re-key Key Pair ............................................................................................................................ 181 11.6

Derive Key .................................................................................................................................... 182 11.7

Certify ............................................................................................................................................ 183 11.8

Re-certify....................................................................................................................................... 183 11.9

Locate ......................................................................................................................................... 183 11.10

Check .......................................................................................................................................... 184 11.11

Get .............................................................................................................................................. 184 11.12

Get Attributes .............................................................................................................................. 185 11.13

Get Attribute List ......................................................................................................................... 185 11.14

Add Attribute ............................................................................................................................... 185 11.15

Modify Attribute ........................................................................................................................... 186 11.16

Delete Attribute ........................................................................................................................... 186 11.17

Obtain Lease .............................................................................................................................. 187 11.18

Get Usage Allocation .................................................................................................................. 187 11.19

Activate ....................................................................................................................................... 187 11.20

Revoke ........................................................................................................................................ 188 11.21

Destroy........................................................................................................................................ 188 11.22

Archive ........................................................................................................................................ 188 11.23

Recover....................................................................................................................................... 188 11.24

Validate ....................................................................................................................................... 188 11.25

Query .......................................................................................................................................... 189 11.26

Discover Versions ....................................................................................................................... 189 11.27

Cancel ......................................................................................................................................... 189 11.28

Poll .............................................................................................................................................. 189 11.29

Encrypt ........................................................................................................................................ 189 11.30

Decrypt........................................................................................................................................ 189 11.31

Sign ............................................................................................................................................. 190 11.32

Signature Verify .......................................................................................................................... 190 11.33

MAC ............................................................................................................................................ 191 11.34

MAC Verify .................................................................................................................................. 191 11.35

RNG Retrieve ............................................................................................................................. 191 11.36

RNG Seed .................................................................................................................................. 192 11.37

HASH .......................................................................................................................................... 192 11.38

Create Split Key .......................................................................................................................... 192 11.39

Join Split Key .............................................................................................................................. 193 11.40

Batch Items ................................................................................................................................. 193 11.41

12 KMIP Server and Client Implementation Conformance ................................................................... 195

KMIP Server Implementation Conformance ................................................................................. 195 12.1

KMIP Client Implementation Conformance .................................................................................. 195 12.2


Appendix A. Acknowledgments ........................................................................................................... 196

Appendix B. Attribute Cross-Reference .............................................................................................. 198

Appendix C. Tag Cross-Reference ...................................................................................................... 200

Appendix D. Operations and Object Cross-Reference ........................................................................ 206

Appendix E. Acronyms ........................................................................................................................ 208

Appendix F. List of Figures and Tables ............................................................................................... 211

Appendix G. Revision History .............................................................................................................. 220


1 Introduction This document is intended as a specification of the protocol used for the communication between clients and servers to perform certain management operations on objects stored and maintained by a key management system. These objects are referred to as Managed Objects in this specification. They include symmetric and asymmetric cryptographic keys, digital certificates, and templates used to simplify the creation of objects and control their use. Managed Objects are managed with operations that include the ability to generate cryptographic keys, register objects with the key management system, obtain objects from the system, destroy objects from the system, and search for objects maintained by the system. Managed Objects also have associated attributes, which are named values stored by the key management system and are obtained from the system via operations. Certain attributes are added, modified, or deleted by operations.

The protocol specified in this document includes several certificate-related functions for which there are a number of existing protocols – namely Validate (e.g., SCVP or XKMS), Certify (e.g., CMP [RFC4210], CMC [RFC5272][RFC6402], SCEP) and Re-certify (e.g., CMP [RFC4210], CMC [RFC5272][RFC6402], SCEP). The protocol does not attempt to define a comprehensive certificate management protocol, such as would be needed for a certification authority. However, it does include functions that are needed to allow a key server to provide a proxy for certificate management functions.

In addition to the normative definitions for managed objects, operations and attributes, this specification also includes normative definitions for the following aspects of the protocol:

The expected behavior of the server and client as a result of operations,

Message contents and formats,

Message encoding (including enumerations), and

Error handling.

This specification is complemented by several other documents. The KMIP Usage Guide[KMIP-UG] provides illustrative information on using the protocol. The KMIP Profiles Specification [KMIP-Prof] provides a selected set of base level conformance profiles and authentication suites; additional KMIP Profiles define specific sets of KMIP functionality for conformance purposes. The KMIP Test Specification [KMIP-TC] provides samples of protocol messages corresponding to a set of defined test cases. The KMIP Use Cases document [KMIP-UC] provides user stories that define the use of and context for functionality defined in KMIP.

This specification defines the KMIP protocol version major 1 and minor 2 (see 6.1).

Terminology 1.1

The key words “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in [RFC2119] .

For acronyms used in this document, see Appendix E. For definitions not found in this document, see [SP800-57-1].

Archive To place information not accessed frequently into long-term storage.

Asymmetric key pair

(key pair)

A public key and its corresponding private key; a key pair is used with a public key algorithm.

Authentication A process that establishes the origin of information, or determines an entity’s identity.

Authentication code A cryptographic checksum based on a security function.


Authorization Access privileges that are granted to an entity; conveying an “official” sanction to perform a security function or activity.

Certificate length The length (in bytes) of an X.509 public key certificate.

Certification authority The entity in a Public Key Infrastructure (PKI) that is responsible for issuing certificates, and exacting compliance to a PKI policy.

Ciphertext Data in its encrypted form.

Compromise The unauthorized disclosure, modification, substitution or use of sensitive data (e.g., keying material and other security-related information).

Confidentiality The property that sensitive information is not disclosed to unauthorized entities.

Cryptographic algorithm

A well-defined computational procedure that takes variable inputs, including a cryptographic key and produces an output.

Cryptographic key (key)

A parameter used in conjunction with a cryptographic algorithm that determines its operation in such a way that an entity with knowledge of the key can reproduce or reverse the operation, while an entity without knowledge of the key cannot. Examples include:

1. The transformation of plaintext data into ciphertext data,

2. The transformation of ciphertext data into plaintext data,

3. The computation of a digital signature from data,

4. The verification of a digital signature,

5. The computation of an authentication code from data, and

6. The verification of an authentication code from data and a received authentication code.

Decryption The process of changing ciphertext into plaintext using a cryptographic algorithm and key.

Digest (or hash) The result of applying a hashing algorithm to information.

Digital signature (signature)

The result of a cryptographic transformation of data that, when properly implemented with supporting infrastructure and policy, provides the services of:

1. origin authentication

2. data integrity, and

3. signer non-repudiation.

Digital Signature Algorithm

A cryptographic algorithm used for digital signature.

Encryption The process of changing plaintext into ciphertext using a cryptographic algorithm and key.

Hashing algorithm (or hash algorithm, hash function)

An algorithm that maps a bit string of arbitrary length to a fixed length bit string. Approved hashing algorithms satisfy the following properties:

1. (One-way) It is computationally infeasible to find any input that maps to any pre-specified output, and

2. (Collision resistant) It is computationally infeasible to find any two distinct inputs that map to the same output.


Integrity The property that sensitive data has not been modified or deleted in an unauthorized and undetected manner.

Key derivation (derivation)

A function in the lifecycle of keying material; the process by which one or more keys are derived from:

1) Either a shared secret from a key agreement computation or a pre-shared cryptographic key, and

2) Other information.

Key management The activities involving the handling of cryptographic keys and other related security parameters (e.g., IVs and passwords) during the entire life cycle of the keys, including their generation, storage, establishment, entry and output, and destruction.

Key wrapping (wrapping)

A method of encrypting and/or MACing/signing keys.

Message Authentication Code (MAC)

A cryptographic checksum on data that uses a symmetric key to detect both accidental and intentional modifications of data.

PGP Key A RFC 4880-compliant container of cryptographic keys and associated metadata. Usually text-based (in PGP-parlance, ASCII-armored).

Private key A cryptographic key used with a public key cryptographic algorithm that is uniquely associated with an entity and is not made public. The private key is associated with a public key. Depending on the algorithm, the private key MAY be used to:

1. Compute the corresponding public key,

2. Compute a digital signature that can be verified by the corresponding public key,

3. Decrypt data that was encrypted by the corresponding public key, or

4. Compute a piece of common shared data, together with other information.

Profile A specification of objects, attributes, operations, message elements and authentication methods to be used in specific contexts of key management server and client interactions (see [KMIP-Prof]).

Public key A cryptographic key used with a public key cryptographic algorithm that is uniquely associated with an entity and that MAY be made public. The public key is associated with a private key. The public key MAY be known by anyone and, depending on the algorithm, MAY be used to:

1. Verify a digital signature that is signed by the corresponding private key,

2. Encrypt data that can be decrypted by the corresponding private key, or

3. Compute a piece of shared data.

Public key certificate (certificate)

A set of data that uniquely identifies an entity, contains the entity's public key and possibly other information, and is digitally signed by a trusted party, thereby binding the public key to the entity.

Public key cryptographic algorithm

A cryptographic algorithm that uses two related keys, a public key and a private key. The two keys have the property that determining the private key from the public key is computationally infeasible.


Public Key Infrastructure

A framework that is established to issue, maintain and revoke public key certificates.

Recover To retrieve information that was archived to long-term storage.

Split Key A process by which a cryptographic key is split into n multiple key components, individually providing no knowledge of the original key, which can be subsequently combined to recreate the original cryptographic key. If knowledge of k (where k is less than or equal to n) components is necessary to construct the original key, then knowledge of any k-1 key components provides no information about the original key

other than, possibly, its length.

Symmetric key A single cryptographic key that is used with a secret (symmetric) key algorithm.

Symmetric key algorithm

A cryptographic algorithm that uses the same secret (symmetric) key for an operation and its inverse (e.g., encryption and decryption).

X.509 certificate The ISO/ITU-T X.509 standard defined two types of certificates – the X.509 public key certificate, and the X.509 attribute certificate. Most commonly (including this document), an X.509 certificate refers to the X.509 public key certificate.

X.509 public key certificate

The public key for a user (or device) and a name for the user (or device), together with some other information, rendered un-forgeable by the digital signature of the certification authority that issued the certificate, encoded in the format defined in the ISO/ITU-T X.509 standard.

Table 1: Terminology

Normative References 1.2

[ECC-Brainpool] ECC Brainpool Standard Curves and Curve Generation v. 1.0.19.10.2005, http://www.ecc-brainpool.org/download/Domain-parameters.pdf.

[FIPS180-4] Secure Hash Standard (SHS), FIPS PUB 186-4, March 2012, http://csrc.nist.gov/publications/fips/fips18-4/fips-180-4.pdf.

[FIPS186-4] Digital Signature Standard (DSS), FIPS PUB 186-4, July 2013, http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf.

[FIPS197] Advanced Encryption Standard, FIPS PUB 197, November 2001, http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf.

[FIPS198-1] The Keyed-Hash Message Authentication Code (HMAC), FIPS PUB 198-1, July 2008, http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf.

[IEEE1003-1] IEEE Std 1003.1, Standard for information technology - portable operating system interface (POSIX). Shell and utilities, 2004.

[ISO16609] ISO, Banking -- Requirements for message authentication using symmetric techniques, ISO 16609, 2012.

[ISO9797-1] ISO/IEC, Information technology -- Security techniques -- Message Authentication Codes (MACs) -- Part 1: Mechanisms using a block cipher, ISO/IEC 9797-1, 2011.

[KMIP-Prof] Key Management Interoperability Protocol Profiles Version 1.3. Edited by Tim Hudson and Robert Lockhart. Latest version: http://docs.oasis-open.org/kmip/profiles/v1.3/kmip-profiles-v1.3.html.

[PKCS#1] RSA Laboratories, PKCS #1 v2.1: RSA Cryptography Standard, June 14, 2002, http://www.rsa.com/rsalabs/node.asp?id=2125.

http://www.ecc-brainpool.org/download/Domain-parameters.pdfhttp://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdfhttp://csrc.nist.gov/publications/fips/fips197/fips-197.pdfhttp://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdfhttp://docs.oasis-open.org/kmip/profiles/v1.3/kmip-profiles-v1.3.htmlhttp://docs.oasis-open.org/kmip/profiles/v1.3/kmip-profiles-v1.3.htmlhttp://www.rsa.com/rsalabs/node.asp?id=2125


[PKCS#5] RSA Laboratories, PKCS #5 v2.1: Password-Based Cryptography Standard, October 5, 2006, http://www.rsa.com/rsalabs/node.asp?id=2127.

[PKCS#8] RSA Laboratories, PKCS#8 v1.2: Private-Key Information Syntax Standard, November 1, 1993, http://www.rsa.com/rsalabs/node.asp?id=2130.

[PKCS#10] RSA Laboratories, PKCS #10 v1.7: Certification Request Syntax Standard, May 26, 2000, http://www.rsa.com/rsalabs/node.asp?id=2132.

[RFC1319] B. Kaliski, The MD2 Message-Digest Algorithm, IETF RFC 1319, Apr 1992, http://www.ietf.org/rfc/rfc1319.txt.

[RFC1320] R. Rivest, The MD4 Message-Digest Algorithm, IETF RFC 1320, April 1992, http://www.ietf.org/rfc/rfc1320.txt.

[RFC1321] R. Rivest, The MD5 Message-Digest Algorithm, IETF RFC 1321, April 1992, http://www.ietf.org/rfc/rfc1321.txt.

[RFC1421] J. Linn, Privacy Enhancement for Internet Electronic Mail: Part I: Message Encryption and Authentication Procedures, IETF RFC 1421, February 1993, http://www.ietf.org/rfc/rfc1421.txt.

[RFC1424] B. Kaliski, Privacy Enhancement for Internet Electronic Mail: Part IV: Key Certification and Related Services, IETF RFC 1424, Feb 1993, http://www.ietf.org/rfc/rfc1424.txt.

[RFC2104] H. Krawczyk, M. Bellare, R. Canetti, HMAC: Keyed-Hashing for Message Authentication, IETF RFC 2104, February 1997, http://www.ietf.org/rfc/rfc2104.txt.

[RFC2119] S. Bradner, Key words for use in RFCs to Indicate Requirement Levels, IETF RFC 2119, March 1997, http://www.ietf.org/rfc/rfc2119.txt.

[RFC2898] B. Kaliski, PKCS #5: Password-Based Cryptography Specification Version 2.0, IETF RFC 2898, September 2000, http://www.ietf.org/rfc/rfc2898.txt.

[RFC2986] M. Nystrom and B. Kaliski, PKCS #10: Certification Request Syntax Specification Version 1.7, IETF RFC2986, November 2000, http://www.rfc-editor.org/rfc/rfc2986.txt.

[RFC3447] J. Jonsson, B. Kaliski, Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1, IETF RFC 3447, Feb 2003, http://www.ietf.org/rfc/rfc3447.txt.

[RFC3629] F. Yergeau, UTF-8, a transformation format of ISO 10646, IETF RFC 3629, November 2003, http://www.ietf.org/rfc/rfc3629.txt.

[RFC3686] R. Housley, Using Advanced Encryption Standard (AES) Counter Mode with IPsec Encapsulating Security Payload (ESP), IETF RFC 3686, January 2004, http://www.ietf.org/rfc/rfc3686.txt.

[RFC4210] C. Adams, S. Farrell, T. Kause and T. Mononen, Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP), IETF RFC 4210, September 2005, http://www.ietf.org/rfc/rfc4210.txt.

[RFC4211] J. Schaad, Internet X.509 Public Key Infrastructure Certificate Request Message Format (CRMF), IETF RFC 4211, September 2005, http://www.ietf.org/rfc/rfc4211.txt.

[RFC4880] J. Callas, L. Donnerhacke, H. Finney, D. Shaw, and R. Thayer, OpenPGP Message Format, IETF RFC 4880, November 2007, http://www.ietf.org/rfc/rfc4880.txt.

[RFC4949] R. Shirey, Internet Security Glossary, Version 2, IETF RFC 4949, August 2007, http://www.ietf.org/rfc/rfc4949.txt.

[RFC5208] B. Kaliski, Public Key Cryptographic Standards (PKCS) #8: Private-Key Information Syntax Specification Version 1.2, IETF RFC5208, May 2008, http://www.rfc-editor.org/rfc/rfc5208.txt.

[RFC5272] J. Schaad and M. Meyers, Certificate Management over CMS (CMC), IETF RFC 5272, June 2008, http://www.ietf.org/rfc/rfc5272.txt.

http://www.rsa.com/rsalabs/node.asp?id=2127http://www.rsa.com/rsalabs/node.asp?id=2130http://www.rsa.com/rsalabs/node.asp?id=2132http://www.ietf.org/rfc/rfc1319.txthttp://www.ietf.org/rfc/rfc1320.txthttp://www.ietf.org/rfc/rfc1321.txthttp://www.ietf.org/rfc/rfc1421.txthttp://www.ietf.org/rfc/rfc1424.txthttp://www.ietf.org/rfc/rfc2104.txthttp://www.ietf.org/rfc/rfc2119.txthttp://www.ietf.org/rfc/rfc2898.txthttp://www.rfc-editor.org/rfc/rfc2986.txthttp://www.rfc-editor.org/rfc/rfc2986.txthttp://www.ietf.org/rfc/rfc3447.txthttp://www.ietf.org/rfc/rfc3629.txthttp://www.ietf.org/rfc/rfc3686.txthttp://www.ietf.org/rfc/rfc4210.txthttp://www.ietf.org/rfc/rfc4211.txthttp://www.ietf.org/rfc/rfc4880.txthttp://www.ietf.org/rfc/rfc4949.txthttp://www.rfc-editor.org/rfc/rfc5208.txthttp://www.ietf.org/rfc/rfc5272.txt


[RFC5280] D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, W. Polk, Internet X.509 Public Key Infrastructure Certificate, IETF RFC 5280, May 2008, http://www.ietf.org/rfc/rfc5280.txt.

[RFC5639] M. Lochter, J. Merkle, Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation, IETF RFC 5639, March 2010, http://www.ietf.org/rfc/rfc5639.txt.

[RFC6402] J. Schaad, Certificate Management over CMS (CMC) Updates, IETF RFC6402, November 2011, http://www.rfc-editor.org/rfc/rfc6402.txt.

[RFC6818] P. Yee, Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, IETF RFC6818, January 2013, http://www.rfc-editor.org/rfc/rfc6818.txt.

[SEC2] SEC 2: Recommended Elliptic Curve Domain Parameters, http://www.secg.org/collateral/sec2_final.pdf.

[SP800-38A] M. Dworkin, Recommendation for Block Cipher Modes of Operation – Methods and Techniques, NIST Special Publication 800-38A, December 2001, http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf.

[SP800-38B] M. Dworkin, Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication, NIST Special Publication 800-38B, May 2005, http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf.

[SP800-38C] M. Dworkin, Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality, NIST Special Publication 800-38C, May 2004, http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf.

[SP800-38D] M. Dworkin, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, NIST Special Publication 800-38D, Nov 2007, http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf.

[SP800-38E] M. Dworkin, Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Block-Oriented Storage Devices, NIST Special Publication 800-38E, January 2010, http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf.

[SP800-56A] E. Barker, L. Chen, A. Roginsky and M. Smid, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, NIST Special Publication 800-56A Revision 2, May 2013, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar2.pdf.

[SP800-57-1] E. Barker, W. Barker, W. Burr, W. Polk, and M. Smid, Recommendations for Key Management - Part 1: General (Revision 3), NIST Special Publication 800-57 Part 1 Revision 3, July 2012, http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf.

[SP800-108] L. Chen, Recommendation for Key Derivation Using Pseudorandom Functions (Revised), NIST Special Publication 800-108, Oct 2009, http://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf.

[X.509] International Telecommunication Union (ITU)–T, X.509: Information technology – Open systems interconnection – The Directory: Public-key and attribute certificate frameworks, November 2008, http://www.itu.int/rec/recommendation.asp?lang=en&parent=T-REC-X.509-200811-1.

[X9.24-1] ANSI, X9.24 - Retail Financial Services Symmetric Key Management - Part 1: Using Symmetric Techniques, 2009.

[X9.31] ANSI, X9.31: Digital Signatures Using Reversible Public Key Cryptography for the Financial Services Industry (rDSA), September 1998.

[X9.42] ANSI, X9.42: Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography, 2003.

[X9.62] ANSI, X9.62: Public Key Cryptography for the Financial Services Industry, The Elliptic Curve Digital Signature Algorithm (ECDSA), 2005.

http://www.ietf.org/rfc/rfc5280.txthttp://www.ietf.org/rfc/rfc5639.txthttp://www.rfc-editor.org/rfc/rfc6402.txthttp://www.rfc-editor.org/rfc/rfc6818.txthttp://www.secg.org/collateral/sec2_final.pdfhttp://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdfhttp://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdfhttp://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdfhttp://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdfhttp://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdfhttp://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdfhttp://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar2.pdfhttp://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdfhttp://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdfhttp://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdfhttp://www.itu.int/rec/recommendation.asp?lang=en&parent=T-REC-X.509-200811-1http://www.itu.int/rec/recommendation.asp?lang=en&parent=T-REC-X.509-200811-1


[X9.63] ANSI, X9.63: Public Key Cryptography for the Financial Services Industry, Key Agreement and Key Transport Using Elliptic Curve Cryptography, 2011.

[X9.102] ANSI, X9.102: Symmetric Key Cryptography for the Financial Services Industry - Wrapping of Keys and Associated Data, 2008.

[X9 TR-31] ANSI, X9 TR-31: Interoperable Secure Key Exchange Key Block Specification for Symmetric Algorithms, 2010.

Non-Normative References 1.3

[ISO/IEC 9945-2] The Open Group, Regular Expressions, The Single UNIX Specification version 2, 1997, ISO/IEC 9945-2:1993, http://www.opengroup.org/onlinepubs/007908799/xbd/re.html.

[KMIP-UG] Key Management Interoperability Protocol Usage Guide Version 1.2. Edited by Indra Fitzgerald and Judith Furlong. Latest version: http://docs.oasis-open.org/kmip/ug/v1.2/kmip-ug-v1.2.doc.

[KMIP-TC] Key Management Interoperability Protocol Test Cases Version 1.2. Edited by Tim Hudson and Faisal Faruqui. Latest version: http://docs.oasis-open.org/kmip/testcases/v1.2/kmip-testcases-v1.2.doc.

[KMIP-UC] Key Management Interoperability Protocol Use Cases Version 1.2 Working Draft 10, June 20, 2013. https://www.oasis-open.org/committees/download.php/49644/kmip-usecases-v1.2-wd10.doc.

[RFC6151] S. Turner and L. Chen, Updated Security Considerations for the MD5 Message-Digest and the HMAC-MD5 Algorithms, IETF RFC6151, March 2011, http://www.rfc-editor.org/rfc/rfc6151.txt.

[w1979] A. Shamir, How to share a secret, Communications of the ACM, vol. 22, no. 11, pp. 612-613, November 1979.

http://www.opengroup.org/onlinepubs/007908799/xbd/re.htmlhttp://docs.oasis-open.org/kmip/ug/v1.2/kmip-ug-v1.2.dochttp://docs.oasis-open.org/kmip/ug/v1.2/kmip-ug-v1.2.dochttp://docs.oasis-open.org/kmip/testcases/v1.2/kmip-testcases-v1.2.dochttp://docs.oasis-open.org/kmip/testcases/v1.2/kmip-testcases-v1.2.dochttps://www.oasis-open.org/committees/download.php/49644/kmip-usecases-v1.2-wd10.dochttps://www.oasis-open.org/committees/download.php/49644/kmip-usecases-v1.2-wd10.dochttp://www.rfc-editor.org/rfc/rfc6151.txt


2 Objects The following subsections describe the objects that are passed between the clients and servers of the key management system. Some of these object types, called Base Objects, are used only in the protocol itself, and are not considered Managed Objects. Key management systems MAY choose to support a subset of the Managed Objects. The object descriptions refer to the primitive data types of which they are composed. These primitive data types are (see Section 9.1.1.4):

Integer

Long Integer

Big Integer

Enumeration – choices from a predefined list of values

Boolean

Text String – string of characters representing human-readable text

Byte String – sequence of unencoded byte values

Date-Time – date and time, with a granularity of one second

Interval – a length of time expressed in seconds

Structures are composed of ordered lists of primitive data types or sub-structures.

Base Objects 2.1

These objects are used within the messages of the protocol, but are not objects managed by the key management system. They are components of Managed Objects.

2.1.1 Attribute

An Attribute object is a structure (see Table 2) used for sending and receiving Managed Object attributes. The Attribute Name is a text-string that is used to identify the attribute. The Attribute Index is an index number assigned by the key management server. The Attribute Index is used to identify the particular instance. Attribute Indices SHALL start with 0. The Attribute Index of an attribute SHALL NOT change when other instances are added or deleted. Single-instance Attributes (attributes which an object MAY only have at most one instance thereof) SHALL have an Attribute Index of 0. The Attribute Value is either a primitive data type or structured object, depending on the attribute.

When an Attribute structure is used to specify or return a particular instance of an Attribute and the Attribute Index is not specified it SHALL be assumed to be 0.

Object Encoding REQUIRED

Attribute Structure

Attribute Name Text String Yes

Attribute Index Integer No

Attribute Value Varies, depending on attribute. See Section 3

Yes, except for the Notify operation (see Section 5.1)

Table 2: Attribute Object Structure


2.1.2 Credential

A Credential is a structure (see Table 3) used for client identification purposes and is not managed by the key management system (e.g., user id/password pairs, Kerberos tokens, etc.). It MAY be used for authentication purposes as indicated in [KMIP-Prof].


Credential Structure

Credential Type Enumeration, see 9.1.3.2.1

Yes

Credential Value Varies based on Credential Type.

Yes

Table 3: Credential Object Structure

If the Credential Type in the Credential is Username and Password, then Credential Value is a structure as shown in Table 4. The Username field identifies the client, and the Password field is a secret that authenticates the client.


Credential Value Structure

Username Text String Yes

Password Text String No

Table 4: Credential Value Structure for the Username and Password Credential

If the Credential Type in the Credential is Device, then Credential Value is a structure as shown in Table 5. One or a combination of the Device Serial Number, Network Identifier, Machine Identifier, and Media Identifier SHALL be unique. Server implementations MAY enforce policies on uniqueness for individual fields. A shared secret or password MAY also be used to authenticate the client. The client SHALL provide at least one field.



Device Serial Number

Text String No

Password Text String No

Device Identifier Text String No

Network Identifier Text String No

Machine Identifier Text String No

Media Identifier Text String No

Table 5: Credential Value Structure for the Device Credential

If the Credential Type in the Credential is Attestation, then Credential Value is a structure as shown in Table 6. The Nonce Value is obtained from the key management server in a Nonce Object. The Attestation Credential Object can contain a measurement from the client or an assertion from a third party if the server is not capable or willing to verify the attestation data from the client. Neither type of attestation data (Attestation Measurement or Attestation Assertion) is necessary to allow the server to accept either. However, the client SHALL provide attestation data in either the Attestation Measurement or Attestation Assertion fields.




Nonce Structure, see 2.1.14

Yes

Attestation Type Enumeration, see 9.1.3.2.36

Yes

Attestation Measurement

Byte String No

Attestation Assertion Byte String No

Table 6: Credential Value Structure for the Attestation Credential

2.1.3 Key Block

A Key Block object is a structure (see Table 7) used to encapsulate all of the information that is closely associated with a cryptographic key. It contains a Key Value of one of the following Key Format Types:

Raw – This is a key that contains only cryptographic key material, encoded as a string of bytes.

Opaque – This is an encoded key for which the encoding is unknown to the key management system. It is encoded as a string of bytes.

PKCS1 – This is an encoded private key, expressed as a DER-encoded ASN.1 PKCS#1 object.

PKCS8 – This is an encoded private key, expressed as a DER-encoded ASN.1 PKCS#8 object, supporting both the RSAPrivateKey syntax and EncryptedPrivateKey.

X.509 – This is an encoded object, expressed as a DER-encoded ASN.1 X.509 object.

ECPrivateKey – This is an ASN.1 encoded elliptic curve private key.

Several Transparent Key types – These are algorithm-specific structures containing defined values for the various key types, as defined in Section 2.1.7.

Extensions – These are vendor-specific extensions to allow for proprietary or legacy key formats.

The Key Block MAY contain the Key Compression Type, which indicates the format of the elliptic curve public key. By default, the public key is uncompressed.

The Key Block also has the Cryptographic Algorithm and the Cryptographic Length of the key contained in the Key Value field. Some example values are:

RSA keys are typically 1024, 2048 or 3072 bits in length.

3DES keys are typically from 112 to 192 bits (depending upon key length and the presence of parity bits).

AES keys are 128, 192 or 256 bits in length.

The Key Block SHALL contain a Key Wrapping Data structure if the key in the Key Value field is wrapped (i.e., encrypted, or MACed/signed, or both).



Key Block Structure

Key Format Type Enumeration, see 9.1.3.2.3

Yes

Key Compression Type

Enumeration, see 9.1.3.2.2

No

Key Value Byte String: for wrapped Key Value; Structure: for plaintext Key Value, see 2.1.4

No

Cryptographic Algorithm

Enumeration, see 9.1.3.2.13

Yes. MAY be omitted only if this information is available from the Key Value. Does not apply to Secret Data (see Section 2.2.7) or Opaque Objects (see Section 2.2.8). If present, the Cryptographic Length SHALL also be present.

Cryptographic Length

Integer Yes. MAY be omitted only if this information is available from the Key Value. Does not apply to Secret Data (see Section 2.2.7) or Opaque Objects (see Section 2.2.8). If present, the Cryptographic Algorithm SHALL also be present.

Key Wrapping Data Structure, see 2.1.5 No. SHALL only be present if the key is wrapped.

Table 7: Key Block Object Structure

2.1.4 Key Value

The Key Value is used only inside a Key Block and is either a Byte String or a structure (see Table 8):

The Key Value structure contains the key material, either as a byte string or as a Transparent Key structure (see Section 2.1.7), and OPTIONAL attribute information that is associated and encapsulated with the key material. This attribute information differs from the attributes associated with Managed Objects,

key management interoperability protocol specification ...docs.oasis-open.org › kmip › spec ›...

Documents